Common use of Security Breach Reporting Clause in Contracts

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it may be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately notify appropriate State personnel of such Security Breach. The Contractor’s report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s security obligations or other event requiring notification under applicable law (“Notification Event”), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach and Notification Event, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it may be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately (and in no event more than twenty-four hours after discovering the breach) notify appropriate State personnel of such Security Breach. The Contractor’s report Contractor shall identify: (i) identify the nature affected State Data and inform the State of the Security Breach; (ii) actions it is taking or will take to reduce the risk of further loss to the State. Contractor shall provide the State Data used or disclosed; (iii) who made the opportunity to participate in the investigation of the breach and to exercise control over reporting the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s security obligations or other event requiring notification under applicable law (“Notification Event”), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach and Notification Event, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the The Contractor shall fully indemnify indemnify, defend, and save harmless the State from and against any costsand all fines, loss criminal or damage civil penalties, judgments, damages and assessments, including reasonable expenses suffered by, accrued against, charged to or recoverable from the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it may will be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately notify appropriate State personnel of such Security Breach. The Contractor’s report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s security obligations or other event requiring notification under applicable law (“Notification Event”), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach and Notification Event, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to 5 SUBCONTRACTORS Contractor shall be responsible for directing and supervising each of its subcontractors and any other indemnification obligations in this Contract, person performing any of the Work under an agreement with Contractor. Contractor shall fully indemnify be responsible and save harmless the State from any costs, loss or damage liable to the State resulting from a Security Breach for all acts or omissions of subcontractors and any other person performing any of the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractorsWork under an agreement with Contractor or any subcontractor.

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it may will be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately promptly notify appropriate State personnel of such Security Breach. The Contractor’s report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s security obligations or other breach event for which Contractor is responsible requiring notification under applicable law (“Notification Event”), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if . To the State determines it to be appropriate under the circumstances extent of a breach of any particular Security Breachof the Contractor’s security obligations, and Contractor shall assume all reasonable costs associated with a Security Breach and Notification Event, incurred by the State to the extent such costs were the direct result of Contractor’s material breach of this Section 4, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. To the extent a) a Security Breach was not the result of Contractor’s material breach as described above, or b) a Security Breach is the result of Customer’s or a third party’s negligence or willful misconduct (including, without limitation, Customer’s failure to implement industry standard security processes and procedures such as password protection or encryption of sensitive personal information, or resulted from actions of disgruntled employees, hackers and other criminal or malicious third parties, or state instrumentalities), the damages and expenses subject to a claim of reimbursement under this Section 4 shall be allocated or reallocated, as the case may be, between the Customer, Contractor and any other party bearing responsibility in such proportion as appropriately reflects the relative fault of such parties, or their subcontractors, or the officers, directors, employees, agents, successors and assigns of any of them, and the liability of Contractor for reimbursement shall be proportionately reduced. In addition to any other indemnification obligations in this Contract, subject to Section 19 below, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors. This Section 4.6 states Contractor’s entire obligation and Customer’s sole and exclusive remedy for damages and expenses related to a Security Breach. 5 SUBCONTRACTORS Contractor shall be responsible for directing and supervising each of its subcontractors and any other person performing any of the Work under an agreement with Contractor. Contractor shall be responsible and liable to the State for all acts or omissions of subcontractors and any other person performing any of the Work under an agreement with Contractor or any subcontractor.

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it may will be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In addition to the requirements set forth in the Business Partner Agreement as may be attached to this Contract, in the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; device (; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately notify appropriate State personnel of such Security Breach. The Contractor’s report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s security obligations or other event requiring notification under applicable law (“Notification Event”), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach and Notification Event, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it may will be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In addition to the requirements set forth in any Business Associate Agreement attached to this Contract as Attachment E, in the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately notify appropriate State personnel of such Security Breach. The Contractor’s report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s security obligations or other event requiring notification under applicable law (“Notification Event”), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach and Notification Event, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it may be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In addition to the requirements set forth in any Business Associate Agreement as may be attached to this Contract, in the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; device (; loss or theft of printed materials; or failure of security policies) policies (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately notify appropriate State personnel of such Security Breach no later than two (2) business days after becomes aware of the Security Breach. The Contractor’s report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s security obligations or other event requiring notification under applicable law (“Notification Event”), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all the costs associated with a Security Breach and Notification EventEvent to the extent the Security Breach and Notification Event is the responsibility of the Contractor, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it may be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In addition to the requirements set forth in any Business Associate Agreement as may be attached to this Contract, in the event of any actual or suspected security breach the Contractor shall report any information breach to Customer as soon as practicable, but in no event later than ten (10) business days from the confirmation by Vendor of such information breach and its applicability to Customer's data (subject to restrictions set by applicable law).” The Contractor acknowledges that in the performance of its obligations under this Contract, it may be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In addition to the requirements set forth in any Business Associate Agreement as may be attached to this Contract, in the event of any actual security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted media (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; device (; loss or theft of printed materials; or failure of security policies) policies (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately notify appropriate State personnel of such Security Breach no later than two (2) business days after becomes aware of the Security Breach. The Contractor’s report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s security obligations or other event requiring notification under applicable law (“Notification Event”), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all the costs associated with a Security Breach and Notification EventEvent to the extent the Security Breach and Notification Event is the responsibility of the Contractor, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it may be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “"Security Breach”"), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately notify appropriate State personnel of such Security Breach. The Contractor’s 's report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (ivii) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (viii) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s 's security obligations or other event requiring notification under applicable law (“Notification "Noti fication Event”"), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach and Notification Event, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors. 5 SUBCONTRACTORS Contractor shall be responsible for directing and supervising each of its subcontractors and any other person performing any of the Work under an agreement with Contractor. Contractor shall be responsible and liable to the State for all acts or omissions of subcontractors and any other person performing any of the Work under an agreement with Contractor or any subcontractor.

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this ContractAgreement, it may shall be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In addition to the requirements set forth in the Business Associate Agreement, in the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for including PII, PHI or ePHI)(for example, but not limited to: , physical trespass on a secure facility; , intrusion or hacking or other brute force attack on any State environment; loss or , loss/theft of a PC, PC or other portable device (laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or ), loss/theft of printed materials; or , failure of security policies, etc.) (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § §2435(b)(2), the Contractor shall immediately promptly and without unreasonable delay notify appropriate State personnel of such Security Breach. The Contractor’s 's report shall identify: (i) the nature of the Security Breach; , (ii) the State Data used or disclosed; , (iii) who made the unauthorized use or received the unauthorized disclosure; , (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; , and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information as they may be amended from time to time, including, but not limited to Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH, or other event requiring notification. In the event of a breach of any of the Contractor’s 's security obligations or other event requiring notification under applicable law (“"Notification Event”"), the Contractor agrees to fully cooperate with the State, assume full responsibility for such notice if notification, and to pay or be liable for the direct reasonable expenses and costs directly arising therefrom (unless the State determines it agrees to be appropriate under the circumstances of assume any particular Security Breach, and assume all costs associated with a Security Breach and Notification Event, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoringsuch liability) that are, in the sole determination State’s reasonable determination, required by law; computer forensics and like costs related thereto, including reasonable investigation costs resulting therefrom; and credit monitoring services to affected individuals for a period of time not to exceed one (1) year from the date of the Statebreach in an amount consistent with reasonable market costs for such services. In addition to any other indemnification obligations in this Contractagreement, the Contractor shall fully indemnify and save harmless the State from any direct costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractorssubcontractors of such State Data.

Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it may will be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In addition to the requirements set forth in any Business Associate Agreement as may be attached to this Contract, in the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; device (; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately notify appropriate State personnel of such Security Breach. The Contractor’s report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-personally- identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s security obligations or other event requiring notification under applicable law (“Notification Event”), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach and Notification Event, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.